This isn't a new virus but it does have a nasty back door capability. I think it's worth posting a "heads up" for that reason alone.

Trend Micro has moved its threat level up to medium. They offer a free scanner to remove it. Also, this post has manual removal instructions below.

--Hope this helps out

This is from the TrendMicro site:


Virus type: File Infector

Destructive: No

Aliases: WORM_LOVGATE.J

Overall risk rating: Medium

--------------------------------------------------------------------------------

Reported infections: Medium

Damage Potential: High

Distribution Potential: High



--------------------------------------------------------------------------------

Description:



This file-infecting virus propagates via shared network drives and via email.

To spread through network shares, it searches for shared folders with read/write access in the same network and drops copies of itself into these folders using the following file names:

100 free essays school.pif
Age of empires 2 crack.exe
AN-YOU-SUCK-IT.txt.pif
Are you looking for Love.doc.exe
autoexec.bat
CloneCD + crack.exe
How To Hack Websites.exe
Mafia Trainer!!!.exe
MoviezChannelsInstaler.exe
MSN Password Hacker and Stealer.exe
Panda Titanium Crack.zip.exe
Sex_For_You_Life.JPG.pif
SIMS FullDownloader.zip.exe
Star Wars II Movie Full Downloader.exe
The world of lovers.txt.exe
Winrar + crack.exe
It propagates via email by replying to all new messages received in Microsoft Outlook and Outlook Express. It sends out email with the following format:

From: <Infected User’s Name>
To: <Original Sender>
Subject: RE: <Original Subject>
Message Body:
'''<Infected User’s Name>' wrote:
====
><Original Body> >
====

YAHOO.COM Mail auto-reply:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.

> Get your FREE <Original Sender’s SMTP account> account now! <

Attachment: (Randomly selected from any of the following
I am For u.doc.exe"
Britney spears nude.exe.txt.exe
joke.pif
DSL Modem Uncapper.rar.exe
Industry Giant II.exe
StarWars2 - CloneAttack.rm.scr
dreamweaver MX (crack).exe
Shakira.zip.exe
SETUP.EXE
Macromedia Flash.scr
How to Crack all gamez.exe
Me_nude.AVI.pif
s3msong.MP3.pif
Deutsch BloodPatch!.exe
Sex in Office.rm.scr
the hardcore game-.pif

This malware also gathers target email addresses from HTML files that it finds in the current and Windows folders and a specific registry key, and sends an email message with itself as attachment to all the said email addresses. The email message that it sends is randomly generated using any of the following subjects, message bodies and attachments:

Subjects: (any of these)
• Reply to this!
• Let's Laugh
• Last Update
• for you
• Great
• Help
• Attached one Gift for u..
• Hi
• Hi Dear

Message Body: (any of these)
• For further assistance, please contact!

• Copy of your message, including all the headers is attached.

• This is the last cumulative update.

• Tiger Woods had two eagles Friday during his victory over
Stephen Leaney. (AP Photo/Denis Poroy)

• Send reply if you want to be official beta tester.
This message was created automatically by mail delivery
software (Exim).

• It's the long-awaited film version of the Broadway hit.
Set in the roaring 20's, this is the story of Chicago
chorus girl Roxie Hart(Zellweger), who shoots her unfaithful
lover (West).

• Adult content!!! Use with parental advisory.

• Patrick Ewing will give Knick fans something to cheer
about Friday night.

• Send me your comments...

Attachment: (any of these)
• About_Me.txt.pif
• driver.exe
• Doom3 Preview!!!.exe
• enjoy.exe
• YOU_are_FAT!.TXT.pif
• Source.exe
• Interesting.exe
• README.TXT.pif
• images.pif
• Pics.ZIP.scr

This malware also has backdoor capabilities. It opens ports 1092 and 20168, allowing remote users to access infected systems. After opening the said ports, it immediately sends an email notifying a remote user that the infected machine is online and accessible.

This malware runs on Windows NT, 2000, and XP systems.

Solution:
===============================================

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as PE_LOVGATE.J and WORM_LOVGATE.DLL. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager. Press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
NOTE: Terminating an instance of this malware also launches an instance of IEXPLORE.EXE. Terminate all other malware instances first before terminating IEXPLORE.EXE.

Addressing Registry Shell Spawning

Registry shell spawning executes the malware when a user tries to run a .TXT or .EXE or file. The following procedures should restore the registry to its original settings.

Click Start>Run
In the Open input box, type:
command /c copy %WinDir%\regedit.exe regedit.com | regedit.com
Press Enter.
In the left panel, double-click the following:
HKEY_CLASSES_ROOT>exefile>shell>open>command
In the right panel, locate the registry entry:
Default
Check whether its value data (right most column) is the path and file name of the malware file:
"winexe.exe %1"
If the value data is the malware file, right-click Default and select Modify to change its value.
In the Value data input box, delete the existing value and type the default value:
"%1"%*
Click OK.
Again in the left panel, double-click the following:
HKEY_CLASSES_ROOT>txtfile>shell>open>command
In the right panel, locate the registry entry:
Default
Check whether its data (in the rightmost column) is the path and file name of the malware file:
"winrpc.exe %1"
If the data is the malware file, right-click Default and select Modify to change its value.
In the Value data input box, delete the existing value and type the default value: %SysDir%\NOTEPAD.EXE %1
Click OK.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Still in the Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entries:
WinHelp = "C:\WINNT\System32\WinHelp.exe"
WinGate initialize = “C:\WINNT\System32\WinGate.exe –remoteshell”
Remote Procedure Call Locator = "RUNDLL32.EXE reg678.dll ondll_reg"
Program In Windows = "C:\WINNT\System32\IEXPLORE.EXE"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>WindowsNT>
CurentVersion>Windows
In the right panel, locate and delete the entry:
Run = ”RAVMOND.EXE”
Close Registry Editor.
Click Start>Run, then type:
command /c del regedit.com
Disabling Malware Service

Restart your machine to terminate the malware service.
Open Registry Editor.
To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSetServices>
Microsoft NetWork FireWall Services
Still in the left panel, delete the subkey:
Microsoft NetWork FireWall Services
Close Registry Editor.
Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and clean all files detected as PE_LOVGATE.J. Delete all files detected as WORM_LOVGATE.DLL To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.